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The European Data Protection Board 


Having regard to Article 70 (1) (e) of the Regulation 2016/679/EU of the European Parliament and of 
the Council of 27 April 2016 on the protection of natural persons with regard to the processing of 


personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter 
“GDPR”), 


Having regard tothe EEA Agreement and in particular to Annex XI and Protocol 37 thereof, asamended 
by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 


Having regardto Article 12 and Article 22 of its Rules of Procedure, 


HAS ADOPTED THE FOLLOWING GUIDELINES 


1 INTRODUCTION 


Due to the COVID-19 pandemic, there are currently great scientific research efforts in the fight against 
the SARS-CoV-2 in order to produce researchresults as fast as possible. 


At the same time, legal questions concerning the use of health data pursuant to Article 4 (15) GDPR 
for such research purposes keep arising. The present guidelines aim to shed light on the most urgent 
of these questions such as the legal basis, the implementation of adequate safeguards for such 
processing of health data and the exercise of the data subject rights. 


Please note that the development of a further and more detailed guidance for the processing of health 
data for the purpose of scientific research is part of the annual work plan of the EDPB. Also, please 
note that the current guidelines do not revolve around the processing of personal data for 
epidemiological surveillance. 


2 APPLICATION OF THE GDPR 


Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID- 
19 pandemic.! The GDPR is a broad piece of legislation and provides for several provisions that allow 
to handle the processing of personal data for the purpose of scientific research connected to the 
COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data 
protection.2 The GDPR also foresees a specific derogation to the prohibition of processing of certain 
special categories of personal data, such as health data, where it is necessary for these purposes of 
scientific research. 3 


Fundamental Rights of the EU must be applied when processing health data for the purpose of 
scientific research connected to the COVID-19 pandemic. Neither the Data Protection Rules nor the 
Freedom of Science pursuant to Article 13 of the Charter of Fundamental Rights of the EU have 


1 See the Statement of the EDPB from 19.3.2020 on the general processing of personal data inthe context of the 
COVID-19 outbreak, available at https://edpb.europa.eu/our-work-tools/our-documents/other /statement- 
processing-personal-data-context-covid-19-outbreak en. 

See for example Article 5 (1) (b) and (e), Article 14 (5) (b) andArticle17 (3) (d) GDPR. 

3 See for example Article 9 (2) (j) and Article 89 (2) GDPR. 
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precedence over the other. Rather, these rights and freedoms must be carefully assessed and 
balanced, resulting in an outcome which respects the essence of both. 


3 DEFINITIONS 


It is important to understand which processing operations benefit from the special regime foreseen in 
the GDPR and elaborated on in the present guidelines. Therefore, the terms “data concerning health”, 
“processing for the purpose of scientific research” as well as “further processing” (also referred to as 
“orimary and secondary usage of health data”) must be defined. 


3.1 “Data concerning health” 

According to Article 4 (15) GDPR, “data concerning health” means “personal data related to the 
physical or mental health of a natural person, including the provision of health care services, which 
reveal information about his or her health status”. As indicated by Recital 53, data concerning health 
deserves higher protection, as the use of such sensitive data may have significant adverse impacts for 
data subjects. In the light of this and the relevant jurisprudence of the European Court of Justice 
(“ECJ”),4 the term “data concerning health” must be given a wide interpretation. 


Data concerning health can be derived from different sources, for example: 


1. Information collected by a health care provider in a patient record (such as medical history 
and results of examinations and treatments). 


2. Information that becomes health data by cross referencing with other data thus revealing the 
state of health or health risks (such as the assumption that a person has a higher risk of 
suffering heart attacks based on the high blood pressure measured over a certain period of 
time). 


3. Information from a “self check” survey, where data subjects answer questions related to their 
health (such as stating symptoms). 


4. Information that becomes health data because of its usage in a specific context (such as 
information regarding a recent trip to or presence in a region affected with COVID-19 
processed by a medical professional to make a diagnosis). 


3.2 “Processing for the purpose of scientific research” 

Article 4 GDPR does not entail an explicit definition of “processing for the purpose of scientific 
research”. As indicated by Recital 159, “the term processing of personal data for scientific research 
purposes should be interpreted ina broad manner including for example technological development 
and demonstration, fundamental research, applied research and privately funded research. In addition, 
it should take into account the Union’s objective under Article 179 (1) TFEU of achieving a European 
Research Area. Scientific research purposes should also include studies conducted in the public interest 
in the area of public health.” 


The former Article 29-Working-Party has already pointed out that the term may not be stretched 
beyond its common meaning though and understands that “scientific research” in this context means 


4 See for example, regarding the Directive 95/46/EC, ECJ 6.11.2003, C-101/01 (Lindqvist) paragraph 50. 
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“a research project set up in accordance with relevant sector-related methodological and ethical 
standards, in conformity with good practice” .° 


3.3. “Further processing” 
Finally, when talking about “processing of health data for the purpose of scientific research”, there are 
two types of data usages: 


1. Researchon personal (health) data which consists in the use of data directly collected for the 
purpose of scientific studies (“primary use”). 


2. Research on personal (health) data which consists of the further processing of data initially 
collected for another purpose (“secondary use”). 


Example 1: For conducting a clinical trial on individuals suspected to be infected with SARS-CoV-2, 
health data are collected and questionnaires are used. This is a case of “primary use” of health data as 
defined above. 


Example 2: A data subject has consulted a healthcare provider as a patient regarding symptoms of the 
SARS-CoV-2. If health data recorded by the health care provider is being used for scientific research 
purposes later on, this usage is classified as further processing of health data (secondary use) that has 
been collected for another initial purpose. 


The distinction between scientific research based on primary or secondary usage of health data will 
become particularly important when talking about the legal basis for the processing, the information 
obligations and the purpose limitation principle pursuant to Article 5 (1) (b) GDPR as outlined below. 


4 LEGAL BASIS FOR THE PROCESSING 


All processing of personal data concerning health must comply with the principles relating to 
processing set out in Article 5 GDPR and with one of the legal grounds and the specific derogations 
listed respectively in Article 6 and Article 9 GDPR for the lawful processing of this special category of 
personal data.°® 


Legal bases and applicable derogations for processing health data for the purpose of scientific research 
are provided for respectively in Article 6 and Article 9. In the following section, the rules concerning 
consent and respective national legislation are addressed. It has to be noted that there is no ranking 
between the legal bases stipulated in the GDPR. 


4.1 Consent 


The consent of the data subject, collected pursuant to Article 6 (1) (a) and Article 9 (2) (a) GDPR, may 
provide a legal basis for the processing of data concerning health in the COVID-19 context. 


However, it has to be noted that all the conditions for explicit consent, particularly those found in 
Article 4 (11), Article 6 (1) (a), Article 7 and Article 9 (2) (a) GDPR, must be fulfilled. Notably, consent 
must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement 
or “clear affirmative action’. 


5 See the Guidelines on Consent under Regulation 2016/679 of the former Article 29 Working -Party from 
10.04.2018, WP259 rev.01, 17EN, page 27 (endorsed by the EDPB). Available at 
icl 





6 See for exa ample regarding the Directive 95/46/EC ECJ 13.5.2014, C- 131/12 (Google Spain), paragraph71. 
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As stated in Recital 43, consent cannot be considered freely given if there is a clear imbalance between 
the data subject and the controller. It is therefore important that a data subject is not pressured and 
does not suffer from disadvantages if they decide not to give consent. The EDPB has already addressed 
consent in the context of clinical trials.” Further guidance, particularly on the topic of explicit consent, 
can be found in the consent guidelines of the former Article 29-Working-Party.® 


Example: A survey is conducted as part of a non-interventional study on a given population, 
researching symptoms and the progress of a disease. For the processing of such health data, the 
researchers may seek the consent of the data subject under the conditions as stipulated in Article 7 
GDPR. 


Inthe view of the EDPB, the example above is not considered a case of “clear imbalance of power” as 
mentioned in Recital 43 and the data subject should be able to give the consent to the researchers. ? In 
the example, the data subjects are not ina situation of whatsoever dependency with the researchers 
that could inappropriately influence the exercise of their free will and it is also clear that it will have 
no adverse consequences if they refuse to give their consent. 


However, researchers should be aware that if consent is used as the lawful basis for processing, there 
must be a possibility for individuals to withdraw that consent at any time pursuant to Article 7 (3) 
GDPR. If consent is withdrawn, all data processing operations that were based on consent remain 
lawful in accordance withthe GDPR, but the controller shall stop the processing actions concerned and 
if there is no other lawful basis justifying the retention for further processing, the data should be 
deleted by the controller. 1° 


4.2 National legislations 

Article 6 (1) e or 6 (1) f GDPR in combination with the enacted derogations under Article 9 (2) (j) or 
Article 9 (2) (i) GDPR can provide a legal basis for the processing of personal (health) data for scientific 
research. In the context of clinical trial this has already been clarified by the Board. 11 


Example: A large population based study conducted on medical charts of COVID-19 patients. 


As outlined above, the EU as well as the national legislator of each Member State may enact specific 
laws pursuant to Article 9 (2) (j) or Article 9 (2) (i) GDPRto provide a legal basis for the processing of 
health data for the purpose of scientific research. Therefore, the conditions and the extent for such 
processing vary depending on the enacted laws of the particular Member State. 


As stipulated in Article 9 (2) (i) GDPR, such laws shall provide “for suitable and specific measures to 
safeguard the rights and freedoms of the data subject, in particular professional secrecy” . As similarly 
stipulated in Article 9 (2) (j) GDPR, such enacted laws “shall be proportionate to the aim pursued, 
respect the essence of the right to data protection and provide for suitable and specific measures to 
safeguard the fundamental rights and the interests of the data subject”. 


7 See Opinion 3/2019 of the EDPB from 23.1.2019 on concerning the Questions and Answers on the interplay 
between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR), available at 
https ://edpb.europa.eu/our-work-tools/our-documents/avis-art-70/opinion-32019-concerning-questions-and- 





answers-interplay en. 
8 Guidelines on Consent under Regulation 2016/679 of the former Article 29 Working-Party from 10.04.2018, 


WP259 rev.01, 17EN, page 18 (endorsed by the EDPB). 

°? Assuming that the data subject has not been pressured or threatened with disadvantages when not giving his 
or her consent. 

10 See Article17 (1) (b) and(3) GDPR. 

11 See Opinion 3/2019 of the EDPB from 23.1.2019, page 7. 


Adopted 7 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


34. 


35. 


Furthermore, such enacted laws must be interpretedin the light of the principles pursuant to Article 5 
GDPR andin consideration of the jurisprudence of the ECJ. In particular, derogations and limitations in 
relation tothe protection of data provided in Article 9 (2) (j) and Article 89 GDPR must apply only in so 
far as is strictly necessary. 12 


5 DATA PROTECTION PRINCIPLES 


The principles relating to processing of personal data pursuant to Article 5 GDPR shall be respected by 
the controller and processor, especially considering that a great amount of personal data may be 
processed for the purpose of scientific research. Considering the context of the present guidelines, the 
most important aspects of these principles are addressed in the following. 


5.1 Transparency and information to data subjects 

The principle of transparency means that personal data shall be processed fairly and in a transparent 
manner in relation to the data subject. This principle is strongly connected with the information 
obligations pursuant to Article 13 or Article 14 GDPR. 


In general, a data subject must be individually informed of the existence of the processing operation 
and that personal (health) data is being processed for scientific purposes. The information delivered 
should contain all the elements stated in Article 13 or Article 14 GDPR. 


It has to be noted that researchers often process health data that they have not obtained directly from 
the data subject, for instance using data from patient records or data from patientsin other countries. 
Therefore, Article 14 GDPR, which covers information obligations where personal data is not collected 
directly from the data subject, will be the focus of this section. 


5.1.1 When mustthe data subject be informed? 

When personal data have not been obtained from the data subject, Article 14 (3) (a) GDPR stipulates 
that the controller shall provide the information “within a reasonable period after obtaining the 
personal data, but at the latest within one month, having regard to the specific circumstances in which 
the personal dataare processed”. 


In the current context, it has to be particularly noted that according to Article 14 (4) GDPR, where “the 
controller intends to further process the personal data for a purpose other than that for which the 
personal data were obtained, the controller shall provide the data subject prior to that further 
processing with information on that other purpose”. 


In the case of the further processing of data for scientific purposes and taking into account the 
sensitivity of the data processed, an appropriate safeguard according to Article 89 (1) is to deliver the 
information to the data subject within a reasonable period of time before the implementation of the 
new research project. This allows the data subject to become aware of the research project and 
enables the possibility to exercise his/her rights beforehand. 


5.1.2 Exemptions 

However, Article (14) (5) GDPR stipulates four exemptions of the information obligation. Inthe current 
context, the exemption pursuant to Article (14) (5) (b) (“proves impossible or would involve a 
disproportionate effort”) and (c) (“obtaining or disclosure is expressly laid down by Union or Member 


12 See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C-345/17 (Buivids) paragraph 64. 
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State law“) GDPR are of particular relevance, especially for the information obligation pursuant to 
Article 14 (4) GDPR. 


5.1.2.1 Proves impossible 

In its Guidelines regarding the principle of Transparency, t° the former Article 29-Working-Party has 
already pointed out that “the situation where it “proves impossible” under Article 14 (5) (b) to provide 
the information is an all or nothing situation because something is either impossible or it is not; there 
are no degrees of impossibility. Thus, if a data controller seeks to rely on this exemption it must 
demonstrate the factors that actually prevent it from providing the information in question to data 
subjects. If, after a certain period of time, the factors that caused the “impossibility” no longer exist 
and it becomes possible to provide the information to data subjects then the data controller should 
immediately do so. In practice, there will be very few situations in which a data controller can 
demonstrate that it is actually impossible to provide the information to data subjects.” 


5.1.2.2 Disproportionate effort 

In determining what constitutes disproportionate effort, Recital 62 refers to the number of data 
subjects, the age of the data and appropriate safeguards in place as possible indicative factors. 
In the Transparency Guidelines mentioned above," it is recommended that the controller should 
therefore carry out a balancing exercise to assess the effort involved to provide the information to 
data subjects against the impact and effects on the data subject if they are not provided with the 
information. 


Example: A large number of data subjects where there is no available contact information could be 
considered as a disproportionate effort to provide the information. 


5.1.2.3. Serious impairment of objectives 

To rely on this exception, data controllers must demonstrate that the provision of the information set 
out in Article 14 (1) per se would render impossible or seriously impair the achievement of the 
objectives of the processing. 


In a case where the exemption of Article (14) (5) (b) GDPR applies, “the controller shall take appropriate 
measures to protect the data subject’s rights and freedoms and legitimate interests, including making 
the information publicly available”. 


5.1.2.4 Obtaining or disclosure is expressly laid down by Union or Member State law 

Article 14 (5) (c) GDPR allows for a derogation of the information requirements in Articles 14 (1), (2) 
and (4) insofar as the obtaining or disclosure of personal data “is expressly laid down by Union or 
Member State law to which the controller is subject”. This exemption is conditional upon the law in 
question providing “appropriate measures to protect the data subject’s legitimate interests”. As stated 
in the above mentioned Transparency Guidelines, 15 such law must directly address the data controller 
and the obtaining or disclosure in question should be mandatory upon the data controller. When 
relying on this exemption, the EDPB recalls that the data controller must be able to demonstrate how 


23 See the Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from 
11.4.2018, WP260 rev.01, 17/EN, page 29 (endorsed by the EDPB). Available at 
https ://ec.europa.eu/newsroom/article29 /item-detail.cfm?item id=622227. 

14 Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from 
11.4.2018, WP260rev.01, 17/EN, page 31 (endorsed by the EDPB). 

15 Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from 
11.4.2018, WP260rev.01, 17/EN, page 32 (endorsed by the EDPB). 
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the law in question applies to them and requires them to either obtain or disclose the personal data 
in question. 


5.2 Purpose limitation and presumption of compatibility 
As a generalrule, data shall be “collected for specified, explicit and legitimate purposes and not further 
processed ina manner that is incompatible with those purposes” pursuant to Article 5 (1) (b) GDPR. 


However the “compatibility presumption” provided by Article 5 (1) (b) GDPR states that “further 
processing for [...] scientific research purposes [...] shall, in accordance with Article 89 (1), not be 
considered to be incompatible with the initial purposes”. This topic, due to its horizontal and complex 
nature, will be considered in more detail in the planned EDPB guidelines on the processing of health 
data for the purpose of scientific research. 


Article 89 (1) GDPR stipulates that the processing of data for research purposes “shall be subject to 
appropriate safeguards” and that those “safeguards shall ensure that technical and organisational 
measures are in place in particular in order to ensure respect for the principle of data minimisation. 
Those measures may include pseudonymisation provided that those purposes can be fulfilled in that 
manner”. 


The requirements of Article 89 (1) GDPR emphasise the importance of the data minimisation principle 
and the principle of integrity and confidentiality as well asthe principle of data protection by design 
and by default (see below).1® Consequently, considering the sensitive nature of health data and the 
risks when re-using health data for the purpose of scientific research, strong measures must be taken 
in order toensure an appropriate level of security as required by Article 32 (1) GDPR. 


5.3 Data minimisation and storage limitation 

In scientific research, data minimisation can be achieved through the requirement of specifying the 
research questions and assessing the type and amount of data necessary to properly answer these 
research questions. Which data is needed depends on the purpose of the research even when the 
research has an explorative nature and should always comply with the purpose limitation principle 
pursuant to Article 5 (1) (b) GDPR. It has to be noted that the data has to be anonymised where it is 
possible to perform the scientific research with anonymised data. 


Inaddition, proportionate storage periods shall be set. As stipulated by Article 5 (1) (e) GDPR “personal 
data may be stored for longer periods insofar as the personal data will be processed solely for archiving 
[...] scientific purposes [...] in accordance with Article 89 (1) subject to implementation of the 
appropriate technical and organisational measures required by this Regulation in order to safeguard 
the rights and freedoms of the data subject” 


In order to define storage periods (timelines), criteria such as the length and the purpose of the 
research should be taken into account. It has to be noted that national provisions may stipulate rules 
concerning the storage period as well. 


5.4 Integrity and confidentiality 
As mentioned above, sensitive data such as health data merit higher protection as their processing is 
likelier to lead to negative impacts for data subjects. This consideration especially applies inthe COVID- 


16 Also see the Guidelines 4/2019 of the EDPB from 13.11.2019 on Data Protection by Design and by Default 
(version for public consultation), available at https ://edpb.europa.eu/our-work-tools/public-consultations-art- 
704/2019/guidelines-42019-article-25-data-protection-design_en 
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19 outbreak as the foreseeable re-use of health data for scientific purposes leads toan increase in the 
number and type of entities processing such data. 


It has to be noted that the principle of integrity and confidentiality must be read in conjunction with 
the requirements of Article 32 (1) GDPR and Article 89 (1) GDPR. The cited provisions must be fully 
complied with. Therefore, considering the high risks as outlined above, appropriate technical and 
organisational up-to-date measures must be implemented to ensure a sufficient level of security. 


Such measures should at least consist of pseudonymisation,’” encryption, non-disclosure agreements 
and strict access role distribution, access role restrictions as well as access logs. It has to be noted that 
national provisions may stipulate concrete technical requirements or other safeguards such as 
adherence to professional secrecy rules. 


Furthermore, a data protection impact assessment pursuant to Article 35 GDPR must be carried out 
when such processing is “likely to result in a high risk to the rights and freedoms of natural persons" 
pursuant to Article 35 (1) GDPR. The lists pursuant to Article 35 (4) and (5) GDPR shall be taken into 
account. 


At this point, the EDPB emphasises the importance of data protection officers. Where applicable, data 
protection officers should be consulted on processing of health data for the purpose of scientific 
researchin the context of the COVID-19 outbreak. 


Finally, the adopted measures to protect data (including during transfers) should be properly 
documented in the record of processing activities. 


6 EXERCISE OF THE RIGHTS OF DATA SUBJECTS 


In principle, situations as the current COVID-19 outbreak do not suspend or restrict the possibility of 
data subjects to exercise their rights pursuant to Article 12 to 22 GDPR. However, Article 89 (2) GDPR 
allows the national legislator to restrict (some) of the data subject’s rights as set in Chapter 3 of the 
regulation. Because of this, the restrictions of the rights of data subjects may vary depending on the 
enacted laws of the particular Member State. 


Furthermore, some restrictions of the rights of data subjects can be based directly on the Regulation, 
such as the access right restriction pursuant to Article 15 (4) GDPR and the restriction of the right to 
erasure pursuant to Article 17 (3) (d) GDPR. The information obligation exemptions pursuant to Article 
14 (5) GDPR have already been addressed above. 


It has to be noted that, in the light of the jurisprudence of the ECJ, all restrictions of the rights of data 
subjects must apply only in so far as it is strictly necessary. 18 


17 thas to be noted that personal (health data) that has been pseudonymised is still regarded as “personal data“ 
pursuant to Article 4 (1) GDPR and must not be confused with “anonymised data” where itis no longer possible 
for anyoneto refer back to individual data subjects. See for example Recital 28. 

18 See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C-345/17 (Buivids) paragraph 64. 
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7 INTERNATIONAL DATA TRANSFERS FOR SCIENTIFIC RESEARCH 
PURPOSES 


Within the context of research and specifically in the context of the COVID-19 pandemic, there will 
probably be aneed for international cooperation that may also imply international transfers of health 
data for the purpose of scientific research outside of the EEA. 


When personal data is transferred to a non-EEA country or international organisation, in addition to 
complying withthe rules set out in GDPR, t° especially its Articles 5 (data protection principles), Article 
6 (lawfulness) and Article 9 (special categories of data),2° the data exporter shall also comply with 
Chapter V (data transfers).21 


In addition to the regular transparency requirement as mentioned on page 7 of the present guidelines, 
a duty rests on the data exporter to inform data subjects that it intends to transfer personal datatoa 
third country or international organisation. This includes information about the existence or absence 
of an adequacy decision by the European Commission, or whether the transfer is based on a suitable 
safeguard from Article 46 or on a derogation of Article 49 (1). This duty exists irrespective of whether 
the personal data was obtained directly from the data subject or not. 


In general, when considering how to address such conditions for transfers of personal data to third 
countries or international organisations, data exporters should assess the risks to the rights and the 
freedoms of data subjects of each transfer?? and favour solutions that guarantee data subjects the 
continuous protection of their fundamental rights and safeguards as regards the processing of their 
data, even after it has been transferred. This will be the case for transfers to countries having an 
adequate level of protection, 7? or incase of use of one of the appropriate safeguards included in Article 
46 GDPR,* ensuring that enforceable rights and effective legal remedies are available for data subjects. 


In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards 
pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which 
transfers of personal data can take place as an exception. The derogations enshrined in Article 49 GDPR 
are thus exemptions from the general rule and, therefore, must be interpreted restrictively, and ona 
case-by-case basis.2° Applied to the current COVID-19 crisis, those addressed in Article 49 (1) (d) 
(“transfer necessary for important reasons of public interest”) and (a) (“explicit consent”) may apply. 


The COVID-19 pandemic causes an exceptional sanitary crisis of an unprecedented nature and scale. 
In this context, the EDPB considers that the fight against COVID-19 has been recognised by the EU and 


19 Article 44 GDPR. 
20 See sections 4 to 6 of the present Guidelines. 
21 See the Guidelines 2/018 of the EDPB from 25.5.2018 on derogations of Article 49 under Regulation 2016/679, 


page 3, on the two-step test, available at https://edpb.europa.eu/our-work-tools/our- 


documents /smijernice/guidelines-2 2018-derogations-article-49-under-regulation en. 





22 International Data Transfers maybe a risk factor to consider when performing a DPIA as referred to in page 10 
of the present guidelines. 

23 The list of countries recognised adequate by the European Commission is available at 
https ://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy- 





decisions en 

24 For example standard data protection clauses pursuant to Article 46 (2) (c) or (d) GDPR, ad hoc contractual 
clauses pursuant to Article 46 (3) (a) GDPR) or administrative arrangements pursuant to Article 46 (3) (b) GDPR. 
25 See Guidelines 2/2018, page 3. 
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64. 


65. 


66. 


67. 


68. 
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most of its Member States as an important public interest,2® which may require urgent action in the 
field of scientific research (for example to identify treatments and/or develop vaccines), and may also 
involve transfers to third countries or international organisations. 27 


Not only public authorities, but also private entities playing a role in pursuing such public interest (for 
example, a university's research institute cooperating on the development of a vaccine in the context 
of an international partnership) could, under the current pandemic context, rely upon the derogation 
mentioned above. 


Inaddition, in certain situations, in particular where transfers are performed by private entities for the 
purpose of medical research aiming at fighting the COVID-19 pandemic,2° such transfers of personal 
data could alternatively take place on the basis of the explicit consent of the data subjects. 29 


Public authorities and private entities may, under the current pandemic context, when it is not possible 
to rely on an adequacy decision pursuant to Article 45 (3) or on appropriate safeguards pursuant to 
Article 46, rely upon the applicable derogations mentioned above, mainly asa temporary measure due 
to the urgency of the medical situation globally. 


Indeed, if the nature of the COVID-19 crisis may justify the use of the applicable derogations for initial 
transfers carried out for the purpose of research in this context, repetitive transfers of data to third 
countries part of a long lasting research project in this regard would need to be framed with 
appropriate safeguards in accordance with Article 46 GDPR. 2° 


Finally, it has to be noted that any such transfers will need to take into consideration on a case-by-case 
basis the respective roles (controller, processor, joint controller) and related obligations of the actors 
involved (sponsor, investigator) in order to identify the appropriate measures for framing the transfer. 


8 SUMMARY 


The key findings of these guidelines are: 


1. The GDPR provides special rules for the processing of health data for the purpose of scientific 
researchthat are also applicable in the context of the COVID-19 pandemic. 


2. The national legislator of each Member State may enact specific laws pursuant to Article (9) 


(2) (i) and (j) GDPR to enable the processing of health data for scientific research purposes. 
The processing of health data for the purpose of scientific research must also be covered by 


6 Article 168 of the Treaty on the Functioning of the European Union recognises a high level of human health 
protection as an important objective that should be ensured in the implementation of all Union policies and 
activities. On this basis, Union action supports national policies to improve public health, including in combatting 
against major health scourges and serious cross-border threats to health, e.g. by promoting res earchinto their 
causes, transmission and prevention. Similarly, Recitals 46 and 112 of the GDPR refer to processing carried out 
in the context of the fight against epidemics as an example of processing serving important grounds of public 
interest. In the context of the COVID-19 pandemic, the EU has adopted a series of measures ina broad range of 
areas (e.g. funding of healthcare systems, support to cross-border patients and deployment of medical staff, 
financial assistance to the most deprived, transport, medical devices etc.) premised on the understanding that 
the EU is facing a major public health emergencyrequiring an urgent res ponse. 

27 The EDPB underlines that the GDPR, in its Recital 112, refers to the international data exchange between 
services competent for public health purposes as an example of the application of this derogation. 

28 In accordance with Article 49 (3) GDPR, consent cannot be used for activities carried out by publica uthorities 
in the exercise of their public powers. 

29 See EDPB Guidelines 2/2018, section 2.1. 

30 See EDPB Guidelines 2/2018, page 5. 
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one of the legal bases in Article 6 (1) GDPR. Therefore, the conditions and the extent for such 
processing varies depending on the enacted laws of the particular member state. 


3. All enactedlaws based on Article (9) (2) (i) and (j) GDPR must be interpretedin the light of the 
principles pursuant to Article 5 GDPR and in consideration of the jurisprudence of the EQ. In 
particular, derogations and limitations in relationto the protection of data provided in Article 
9 (2) (j) and Article 89 (2) GDPR must apply only in so far as is strictly necessary. 


4. Considering the processing risks inthe context of the COVID-19 outbreak, high emphasise must 
be put on compliance with Article 5 (1) (f), Article 32 (1) and Article 89 (1) GDPR. There must 
be an assessment if a DPIA pursuant to Article 35 GDPR has to be carried out. 


5. Storage periods (timelines) shall be set and must be proportionate. In order to define such 
storage periods, criteria such as the length and the purpose of the research should be taken 
into account. National provisions may stipulate rules concerning the storage period as well and 
must therefore be considered. 


6. In principle, situations as the current COVID-19 outbreak do not suspend or restrict the 
possibility of data subjects to exercise their rights pursuant to Article 12 to 22 GDPR. However, 
Article 89 (2) GDPR allows the national legislator to restrict (some) of the data subject’s rights 
as set in Chapter 3 of the GDPR. Because of this, the restrictions of the rights of data subjects 
may vary depending on the enacted laws of the particular Member State. 


7. With respect to international transfers, in the absence of an adequacy decision pursuant to 
Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, public authorities 
and private entities may rely upon the applicable derogations pursuant to Article 49 GDPR. 
However, the derogations of Article 49 GDPR do have exceptional character only. 


For the European Data Protection Board 
The Chair 
(Andrea Jelinek) 
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